Security Safeguards

How We Protect Patient Data

Keeping patient health information secure is our highest priority. With that in mind, we keep data safe through every step of integration.

Securing the Engine

Redox exceeds industry, HIPAA-compliant, and National Institute of Standards and Technology (NIST) recommended encryption standards to protect client data.
We deploy code changes without any interruption to traffic as application code runs in Docker containers in the app layer.
We're hosted on Amazon Web Services (AWS) and have a business associate agreement (BAA) in place with Amazon.
Redox applications and databases are redundant across AWS Availability Zones (AZs), so if an outage occurs in one AZ, we failover with minimal interruption to traffic.
Our databases are 256 bit AES encrypted. Database filesystems are encrypted using AWS managed keys. Encrypted backups are taken nightly and stored in a separate geographic location.
Application containers and our database reside in a private subnet, inaccessible from the outside internet. Access is restricted to the application and bastion layers.
The Redox API scales to balance traffic across available application instances. Our endpoints receive automatic security updates, and we force HTTPS at the endpoint layer.

Certifications

Hitrust Logo

HITRUST is the leading and most widely recognized third-party auditing framework within healthcare. HITRUST evaluates enacted security measures against multiple industry standards and regulations to prove platform compliance. A rigorous and challenging test, our HITRUST CSF certification demonstrates to our partners that data security is the highest priority at Redox.

Hitrust Logo

SOC2 is an industry-standard, technology service provider report verifying compliance and controls pertaining to Security and Availability. "Type 2" indicates that this is a multi-month, over-time evaluation period for compliance.

Third-Party Audits

Redox contracts a number of independent auditing:

We undergo multiple third-party penetration tests yearly, including manual penetration testing on our application as well as internal and external network penetration testing for our infrastructure to identify potential system vulnerabilities. This ensures any security issues are resolved before they have a chance to arise and that data is properly guarded. Code audits are performed regularly to scan our code base and find and address any security vulnerabilities. Intrusion detection is used to monitor all system-level events and escalate any incongruent activity, like a user promoting their privileges or modifying files.


Application Connectivity

Between an application and Redox, end-to-end encryption is done to secure all data transmitted over an HTTPS connection. Within the Redox application, we support modern industry OAuth and SAML standards to authenticate applications that send to Redox and to authenticate with applications that receive information from Redox.

We store sensitive credentials as salted and hashed values for an additional layer of security. Redox supports Two-Factor Authentication for all users accessing the Redox Engine Dashboard, and requires it for all personnel with customer support responsibilities to further protect access to PHI.


VPN Security

TCP traffic from Health Systems is encrypted via a secure VPN connection. We use an IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection remains healthy.


Operational Security

Redox staff must comply with Redox's acceptable-use policy prior to gaining access to any protected systems or data. This includes using strong passwords, encrypting their device, enabling multi-factor authentication on all applicable systems, undergoing security training appropriate to their role, running anti-malware endpoint protection, and running Redox's device provisioning application.


Business Continuity & Issue Management

Redox maintains detailed processes in the event of a downtime, ranging from a simple container failure to large-scale regional failure of our AWS host. These scenarios are reviewed and tested regularly for accuracy and training.

Redox also maintains a structured process for identifying, escalating, and responding to security incidents. This process includes guidelines for ensuring containment of at-risk data, controls for system stability and performance, and a notification process if customers are affected.

Want to Learn More?

Redox is committed to continually working on security enhancements as technology changes and our infrastructure evolves. If you have any questions about our security measures or technology, feel free to reach out to us.
(Please do not send any PHI over email under any circumstance).

Contact Us